5

Due to popular "locky" and similar malware out there I need to disable macros for all installed Microsoft Office products (Word, Excel...) globally for any user who logs in into a particular server running Windows Server 2012 R2.

How to do that?

The server is not a domain controller, so I have no Administrative templates available, as suggest some resources I've read.

Thank you!

Improve this question
2
  • I hope you know that there are other infection vectors that locky uses, and only disabling office macros, won't provide 100% protection from that malware. We need to know more about your server configuration in order to help.
    – Ramhound
    Commented May 4, 2016 at 15:16
  • @Ramhound they use also .js files, but that is handeled via having enabled Internet Explorer Enhanced Security (IEES) which disables all but whitelisted sites/files to run javascript.
    – crysman
    Commented May 4, 2016 at 15:23

2 Answers 2

Reset to default
2

It can be done via Group Policy with appropiate Administrative Templates present. This HOWTO is for machines with no GPO central store [1]. You might use the classic templates (ADM) [2], or the new ones (ADMX). I recommend ADMX, not only because it is newer and not obsolete, but mainly because it allows you to browse All Settings in the GPOs at once.

  1. Download the templates: go to https://www.microsoft.com/en-us/download and search for "Office 20xx Administrative Template files", where xx is your Office version installed.
  2. Extract the files to some temporary location (it is usually a self-extracting exe, or msi package). Here is how to extract files from msi [3].
  3. Copy all the ADMX files into %systemroot%\PolicyDefinitions\ and included language files into %systemroot%\PolicyDefinitions\<appropiate_language_directory> (probably en-US)
  4. Set-up the GPOs:
    1. under User Configuration -> Administrative Templates -> Microsoft Office 20xx -> Security Settings -> enable the Disable VBA for Office applications.
    2. [optional] you might also want to enable the Disable All ActiveX option in the same branch.
    3. go to User Configuration -> Administrative Templates -> Microsoft 20xx -> Options -> Security -> Trust Center -> enable the VBA Macro Notification Settings as "Disable all without notification"

hint: Group Policy Editor is "gpedit.msc"

[1] https://support.microsoft.com/en-us/help/929841/how-to-create-the-central-store-for-group-policy-administrative-template-files-in-windows-vista

[2] https://superuser.com/a/1073064/440382

[3] How do I extract files from an MSI package?

Improve this answer
1
1

It can be done via Group Policy with appropiate Administrative Templates installed/imported.

  1. Download the templates: go to https://www.microsoft.com/en-us/download and search for "Office 20xx Administrative Template files", where xx is your Office version installed.
  2. Import them to Group Policy Editor: right click on User Configuration -> Administrative Templates and click "Add/Remove Templates" -> Add -> browse to the folder you saved the templates to (browse to the ADM folder) -> OK
  3. Set it all up:
    1. under User Configuration -> Administrative Templates -> Clasic Administrative Templates (ADM) -> Microsoft Office 20xx -> Security Settings -> enable the Disable VBA for Office applications
    2. in the same branch select all product you want to have macros disabled (typically Word, Excel and Powerpoint) and go to Microsoft 20xx -> Options -> Security -> Trust Center -> enable the VBA Macro Notification Settings as "Disable all with notification"

hint: Group Policy Editor is "gpedit.msc"

Improve this answer
16
  • The author's machines are not connected to a domain controller, so using group policy, will be sort of tough to enforce.
    – Ramhound
    Commented May 4, 2016 at 15:15
  • Yes.. I've seen hints like this... but I do not have it there. When I go to Group policy editor -> Local Computer Policy -> Computer Configuration -> Administrative Templates -> All Settings ... there is no "VBA Macro..." Neither it is in "User Configuration" branch
    – crysman
    Commented May 4, 2016 at 15:16
  • go to start and type gpedit.msc and hit enter
    – TheStarvingGeek
    Commented May 4, 2016 at 15:17
  • 1
    microsoft.com/en-us/download/details.aspx?id=35554 download the template here
    – TheStarvingGeek
    Commented May 4, 2016 at 15:22
  • 1
    in gpediter right click on "Administrative Templates" and click "Add/Remove templates" then "Add" then browse to the template
    – TheStarvingGeek
    Commented May 4, 2016 at 15:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .